Overview

overview

8

Static

static

8eb486515c...3d.exe

windows7-x64

8

8eb486515c...3d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    156s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d.exe

  • Size

    142KB

  • MD5

    079a0932ea0a8bb6b8a60fc4f7a07116

  • SHA1

    0ed3b3ac16a562f061ff9ad2864e1d4258fc4220

  • SHA256

    8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d

  • SHA512

    00f598a9478a9dfe2cd7454299041355c7bbb7f34e0cf21571e0b99a3f5cf9b4d655b6d73324a8c32dde1398dd6c106adda468816e5afce2e74972ca2ca84b74

  • SSDEEP

    3072:wbRBxl5NBkrR6xT2NvGcStqkZ5b0hBAOj8D:6xl5NSRrvwtqkjwMOjs

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2056
      • C:\Users\Admin\AppData\Local\Temp\8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d.exe
        "C:\Users\Admin\AppData\Local\Temp\8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4488
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB395.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Users\Admin\AppData\Local\Temp\8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d.exe
              "C:\Users\Admin\AppData\Local\Temp\8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d.exe"
              4⤵
              • Executes dropped EXE
              PID:4380
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Drops startup file
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3404
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1492
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4660
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1280
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1148

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aB395.bat
            Filesize

            722B

            MD5

            9abc6c45045849309d8c3f3840c307eb

            SHA1

            21542893e60c3991493ceea3c25d8fc3922a1bb2

            SHA256

            873e5dd487151d2a73d57622db2d5db0e63e571f768cb7e4a74b3d046a8fc32e

            SHA512

            cc07d599d867190edd6c2a3f3c025ce941dfe4cd5cb7061aa305ec893ec9304b187fdc66b9b395c2caea9fbf312e347978aebf8144faa65b68249d80a5f59611

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d.exe
            Filesize

            39KB

            MD5

            54c88bfbd055621e2306534f445c0c8d

            SHA1

            960a171e826c077187fe634103874644327a6110

            SHA256

            032f7bb13ed19bd085193ef7912d758fdc2839d24a1e8d49bea354864d4920eb

            SHA512

            f992a4f6e7b6eba4e0e3dff10c886bf8aad96350659648bdecc1ada7518e6bb10f873d3ffb30f558364395115aae5a2f08ba24b0aa821f36980d8e9712fc6c51

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8eb486515c54507ef3adda8e6c2739a601035476f9bc073d96cfe60c77e0973d.exe.exe
            Filesize

            39KB

            MD5

            54c88bfbd055621e2306534f445c0c8d

            SHA1

            960a171e826c077187fe634103874644327a6110

            SHA256

            032f7bb13ed19bd085193ef7912d758fdc2839d24a1e8d49bea354864d4920eb

            SHA512

            f992a4f6e7b6eba4e0e3dff10c886bf8aad96350659648bdecc1ada7518e6bb10f873d3ffb30f558364395115aae5a2f08ba24b0aa821f36980d8e9712fc6c51

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            103KB

            MD5

            bb96a2f750be9e599b9b29965b9def4a

            SHA1

            3f4e2fc9395eb7509e4a5955e242c6952a7f2df3

            SHA256

            69a98def3f2156f1815bd2e72953401b1cef125aca87d898bef287bf21b6a596

            SHA512

            3f177f27402a9515d2d0c802acd60001de4b451590645d16e41140b4734fc8fada9a8731bbd09f0e3a019d560b4104a50c8a4584a9b467fbe1ba958db32aac0c

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            103KB

            MD5

            bb96a2f750be9e599b9b29965b9def4a

            SHA1

            3f4e2fc9395eb7509e4a5955e242c6952a7f2df3

            SHA256

            69a98def3f2156f1815bd2e72953401b1cef125aca87d898bef287bf21b6a596

            SHA512

            3f177f27402a9515d2d0c802acd60001de4b451590645d16e41140b4734fc8fada9a8731bbd09f0e3a019d560b4104a50c8a4584a9b467fbe1ba958db32aac0c

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            103KB

            MD5

            bb96a2f750be9e599b9b29965b9def4a

            SHA1

            3f4e2fc9395eb7509e4a5955e242c6952a7f2df3

            SHA256

            69a98def3f2156f1815bd2e72953401b1cef125aca87d898bef287bf21b6a596

            SHA512

            3f177f27402a9515d2d0c802acd60001de4b451590645d16e41140b4734fc8fada9a8731bbd09f0e3a019d560b4104a50c8a4584a9b467fbe1ba958db32aac0c

            Download Submit